Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Attendees:

Voting Participants: Denny Prvu, Martin Smith, Michael Magrath, Richard Wilsher, Andrew Hughes, Mark Hapner, Jimmy Jung
Other Participants: Mark Aaronson
Staff: Kay Chopard, Lynzie Adams

Proposed Agenda

  1. Administration:

    • Roll call, determination of quorum

    • Minutes approval - 2023-01-05 Minutes

    • General Updates

    • Assurance Updates

  2.  Discussion: 

  3. Any Other Business

Meeting Notes 

Administrative Items:

IAWG Vice-Chair Denny Prvu called the meeting to order.  Roll was called. Meeting was quorate. 

Minutes Approval   

Mark Hapner moved to approve the draft minutes from the January 5 IAWG meeting. Michael Magrath seconded the motion. Motion carried with no objections. 

General Updates

Andrew and Kay debriefed the joint industry meeting from earlier in the week. They were both encouraged that NIST seems really interested in getting feedback from the field. Kay and Andrew also used this time to recruit heavily for Kantara.

Lynzie shared some IAWG specific updates:

  • beginning February 16, the IAWG calls will move to 12:00 pm ET

  • all questions/topics for the February 9 NIST meeting must be submitted by the end of the meeting on February 9. Lynzie will leave time on the agenda to collect comments from the group but please feel free to submit them early to her via email.

Assurance Updates

March 24 is the due date for all NIST comments on 800-63-4. Same date applies to PIV drafts 800-157-1 and 800-217. Please submit all comments that you would like included WITH the Kantara submission to comments_iawg@kantarainitiative.org. Specific questions from NIST can be found here.

Discussion:

Revision 4

The revision 4 wiki space has been updated with some important dates and links. Please keep an eye on it.

Martin asked what the implications were for us if NIST decided to cite FIDO in the publication. There was discussion around whether or not FIDO was specifically named. Upon completing a search through the four volumes, Michael could only find where FIDO was referenced in a question to respond to and that should not lead one to believe FIDO will be named in the final publication.

  • Are emerging authentication models and techniques – such as FIDO passkey, verifiable credentials, and mobile driver’s licenses – sufficiently addressed and accommodated, as appropriate, by the guidelines? What are the potential associated security, privacy, and usability benefits and risks

Richard asked about how final this draft is considering its title ‘initial public draft’. It was shared in the January 12 webinar that NIST is considering putting out a subsequent draft on all or any individual volume of this release. It will be dependent on the comments received during the public review period. Andrew does not believe there will be a second draft, that rather anything not addressed in revision 4 will be focused on in revision 5.

Topics that came up in discussion that might warrant further discussion with NIST:

  • Very little discussion about equity and how that was achieved - and whether the standard is sufficient for it. The impression was that there wasn’t much interest or focus on it in the discussion at all. Issue with proofing - allow someone who was already proofed at the target assurance to act as a local credential for the applicant. That person does not need to be employed by the agency or CSP. (noted by Mark Hapner, Michael agreed; Richard also addressed equity). Andrew noted that some questions can/should be formulated from this to shape up their thinking on this topic and allows us to query the basis for some comments. What do you see the regulatory/legislative imperatives and how they intersect with 800-63?

  • The focus on biometrics is primarily as a means of unlocking locally the authenticator - and when they start talking about biometrics captured by the service, the spec if weak - from an equity perspective. (noted by Mark Hapner, Michael agreed).

  • The bar being too high for Level 1 when it comes to EI - shutting out a significant part of the population. (noted by Michael).

Any Other Business:

The next scheduled meeting will be February 2, 2023.

IAWG leadership keeps an action item list.
All IAWG participants should be aware that the spreadsheet exists and that it lists everything we think the IAWG is working on or planning to work on. Please feel free to review it and correct it if needed - it is not our intent to overlook something!

  • No labels